Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 47 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.


Back

How to Stop / shutdown iSQL*Plus

This short article shows how you can disable / shutdown / stop iSQL*Plus in Oracle. This web based version of SQL*Plus has been available since version 8iR3 (8.1.7) and is a useful tool but there are a few known security issues with its use in a production environment. Because it uses internet techniques to access the database you should be carful with its use. The SANS step-by-step guide has some details on securing iSQL*plus. These are also covered in the SANS S.C.O.R.E document and the CISecurity Oracle benchmark - both are based on the SANS step-by-step and can be found here

For instance just in Feb 2004 a new CSS exploit has been made public on the Oracle security alerts website using this tool as the example.

Here is how to disable iSQL*Plus:

on Windows you will find the file %ORACLE_HOME%\Apache\Apache\conf\oracle_apache.conf and then comment out the following line:

		#
		#include "C:\oracle\ora90\sqlplus\admin\isqlplus.conf"
		#
						

Save the file and then restart Apache and iSQL*Plus will no longer work. This can be done from =>

Start -> Settings -> Control Panel -> Administrative Tools -> Services and then locate the Oracle HTTP server - for instance on my Oracle 9iR2 Personal Oracle its called "OracleOraHome90HTTPServer" - It may be different on your system. Simply click on the restart link to the left of the screen.

On Unix the file name is the same and in the same location but use $ORACLE_HOME instead of %ORACLE_HOME%. Also to restart apache on Unix use the apachectl script with start and stop commands.

Finally you can test if iSQL*Plus is indeed disabled by going to http://:7778/isqlplus in your favourite browser.



Back